Add auth_backend data source

[adongy]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Add support for querying vault_auth_backend data with a datasource.
Some resources need the auth backend accessor (e.g. for identity groups). If it's managed outside Terraform, we can query the accessor through this datasource.

Release note for CHANGELOG:

Add `vault_auth_backend` datasource

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestDataSourceAuthBackend'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestDataSourceAuthBackend -timeout 120m
?   	github.com/terraform-providers/terraform-provider-vault	[no test files]
?   	github.com/terraform-providers/terraform-provider-vault/cmd/coverage	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/util	0.008s [no tests to run]
=== RUN   TestDataSourceAuthBackend
--- PASS: TestDataSourceAuthBackend (0.21s)
PASS
ok  	github.com/terraform-providers/terraform-provider-vault/vault	0.217s

[adongy]

Test failures seem unrelated.

[tyrannosaurus-becks]

Hi @adongy , thanks for working on this!

I have a question. I notice that we already have something close to this available as a resource versus a data source. For other data sources, I can more easily see why one would be pulling data from Vault into their Terraform config. Like, for instance, I could see someone using the AWS data source to get an AWS access key and secret for Terraform to use in spinning up infrastructure.

I don't quite imagine the use case for this one. Can you fill me in?

[adongy]

Hey @tyrannosaurus-becks,

Thanks for the review!

My use case is for bootstrapping Vault configuration. In my case, to avoid doing a manual "first time" Terraform configuration with a root token, I run a bootstrap script that registers some basic config.

In my case, I register an admin policy, as well as a OIDC mount to allow GSuite admin users to login and get that policy. After that, I can revoke the initial root token, and work from short lived tokens.

Through that bootstrap script, the OIDC mount is created, and I'd like to reuse it to allow non-admin users to also login through that auth backend. This config is managed through Vault identities, aliases shenanigans are used so it's a bit more complex.

[tyrannosaurus-becks]

This overall looks really awesome. Just a couple questions about which way we want to go on this, drilling into one item vs. reading them all.

[tyrannosaurus-becks]

This looks great. Thank you for adding it, much appreciated!